June 24, 2019
This piece was published on June 17, 2019 by Law360.
Pandemics and natural disasters historically include influenza outbreaks, hurricanes, earthquakes, fires, and other incidents which have caused massive public safety challenges and harm to a large number of people.
While insurers have become good at calculating the risks associated with these naturally occurring events, they are facing new challenges in how they provide coverage and determine losses for ‘cyber pandemics’ and ‘cyber hurricanes’.
Cyber pandemics include the WannaCry and NotPetya contagious malware attacks that froze hundreds of thousands of computers across the globe. The extent of damage caused by these cyber pandemics make contagious malware the greatest potential cause of catastrophic damage among the various types of cybersecurity threats.
Not far behind this threat are concerns about the possibility of a ‘cyber hurricane’, a massive shutdown of the cloud that would cripple commerce and industry. So far, cloud failures — either the result of unforeseen malfunctions or intentional cyberattacks — have been limited to individual services. But the concern exists that a broader cloud failure could someday affect hundreds of millions of computer users all at once.
A global contagious malware attack has the potential to cause $193 billion in economic losses with 86% of the total losses being uninsured, leaving an insurance gap of $166 billion, a Lloyd’s of London report suggests.
Insurers need to be aware of the dangers of contagious malware and cloud vulnerabilities as the demand for cyberinsurance coverage grows. Insurers face pressure to develop ways to quantify losses from attacks, construct models to predict future losses, and address aggregation risk in the event of a major attack.
The WannaCry and NotPetya ransomware attacks are examples of how contagious malware can spread by global proportions.
WannaCry gained notoriety in May 2017 when it paralyzed Britain’s National Health Service, freezing some 70,000 computers and medical devices. Almost 7,000 patients went untreated, as hackers demanded ransom to release frozen medical records.
Ultimately, WannaCry was said to have affected some 300,000 computers and devices in 150 countries, with total losses estimated at $8 billion, which includes ransoms payments and lost business. And like most viruses, WannaCry struck again in March 2018, and was attributed to a shutdown of computers at Boeing.
NotPetya was a ransomware attack that surfaced in June 2017, temporarily disabling a power plant in Ukraine. It ultimately spread to 65 countries, and hindered operations at multinational companies like Merck & Co., FedEx Corp., DLA Piper, A.P. Moller-Maersk, and Cadbury Chocolate. Estimated total losses exceeded $1 billion.
The size and scope of these malware attacks is a concern to industry, governments, and private citizens, and there is no indication that cyber pandemics will come to an end any time soon.
In fact, attacks are increasing in sophistication. They are no longer the purview of basement hackers, but instead they emanate from hostile nation states such as North Korea, China, Russia, and Iran, which have put their intellectual and monetary capacity behind some of the attacks, using advanced tradecraft that can be difficult to readily detect.
In the coming years, the incidence of malware attacks will likely continue to increase, striking a broader pool of victims across large geographies, according to several studies on global cybersecurity.
Contagious malware attacks will increase in scope and sophistication, targeting more mobile devices and system routers and modems. The FBI recently warned of a Russian-based attack on Wi-Fi routers that could be used to infiltrate larger computer networks, or simply freeze the routers and turn them into useless ‘bricks’.
With more businesses now turning to cloud computing, the chances of a huge disruption in service is rising, a scenario that would be styled as a ‘cyber hurricane’.
Insurer Lloyd’s of London and AIR Worldwide, a catastrophe risk modeling firm, described such a scenario in a report titled, “Cloud Down: Impacts on the U.S. Economy.” It surmises that a disruption to one of the top three cloud services for three to six days would cost the U.S. economy between $5.3 billion and $19 billion.
And cloud service can be interrupted in several ways, from cyberattacks, to hardware or software issues, to human error.
Consider a four-hour disruption in the Amazon cloud in March 2017, caused when an employee entering the wrong command on a computer. The outage affected half the nation’s top 100 retailers and caused an estimated $150 million in losses.
Microsoft Azure remains a perennial target for attackers using ever-evolving techniques to attempt to infiltrate its cloud service. In its security report, Microsoft warned how quickly a malicious attack can spread once a hacker gains access to the cloud.
As explained in the report, “In a cloud weaponization threat scenario, an attacker establishes a foothold within a cloud infrastructure by compromising and taking control of one or more virtual machines.” The attacker can then use these virtual machines to launch attacks, including:
- Brute force attacks against other virtual machines;
- Spam campaigns that can be used for email phishing attacks;
- Reconnaissance such as port scanning to identify new attack targets; and
- Other malicious activities.
Challenges for Insurers
There is increasing demand on the part of companies to purchase more cyberinsurance protection. Total cyberinsurance premiums, which now stand at about $2.5 billion worldwide, are expected to grow to $10 billion by 2020, according to a report by insurance broker Willis Towers Watson.
But companies complain that they can’t get as much coverage as they need because insurers have trouble quantifying the potential losses from cyberattacks.
Underwriters contend they don’t have enough data to determine how many cyberattacks have occurred and the extent of the damage. Many attacks go unreported, as companies fear damaging their reputations and others may not even know they’ve been attacked.
It is equally difficult to develop a threat model. With traditional natural disasters, there is more information about past events that enable underwriters to predict the chances of future losses. While cyber threat modeling is improving, it is still more art than science because new attacks employ different tactics and continue to increase in sophistication.
Aggregation risk is also a major issue. With the rise in contagious malware and threats to the cloud, insurers face a number of challenges. Insurers are concerned about being exposed to a large number of cyberloss claims in a short time frame, something akin to a hurricane or earthquake. For example, an attack on the U.S. power grid could spread to power utilities across the country, causing huge losses for insurers. The aggregation risk from most natural disasters can be limited because they affect only certain geographic areas. The aggregation risk from a cyberattack can be global.
There also isn’t a clear understanding of what cyberinsurance policies cover, and how much insurance companies need. Companies often fail to understand that their general liability policies do not cover cyberattacks. Even firms with cyberinsurance may not be covered for major attacks, such as state-sponsored breaches. The problem for insurers is compounded by the fact that there is no standardized cyberinsurance policy. Coverage is often pulled together to meet the company’s specific needs.
Being Prepared and Proactive
Successful organizations need to be prepared and take proactive measures when addressing cybersecurity. Developing a game plan before a breach occurs is critical to reducing risk and losses.
It is important to collaborate with all stakeholders in an organization to develop a customized, comprehensive, and actionable cyberincident response plan that follows industry standard best practices. Perhaps more importantly, companies need to practice their plan, so they can implement it effectively when the attack occurs.
Disaster Recovery and Business Continuity
Despite increased focus on the development and implementation of sophisticated information security programs, cybersecurity events are inevitable and are now the major cause of operational downtime and liability. Not surprisingly, business interruption perennially ranks among the top 10 risks named by senior management and board members across many industry sectors.
As disruptive natural or man-made events increasingly occur, leaders recognize that their organizations must understand the consequences of business interruption and the impact it can have to the financial, reputational, legal, and regulatory health of the enterprise. Management teams are expected to be able to effectively run their organizations through a crisis.
The causal link between cyberincidents and operational downtime is becoming increasingly more profound. The near inevitability of cyberattacks on most organizations obligates riskaware management and boards to develop and test contingency plans as a way of assuring shareholders, regulators, and customers that they are fully committed to performing through the chaos and uncertainty of these damaging scenarios. The risk concentration from having moved so aggressively to the cloud means that organizations need to have disaster recovery plans that include noncloud failover mechanisms.
Forecasting the Future
Contagious malware attacks and cloud breaches are only likely to grow in frequency and scope, increasing the urgency for companies to evaluate their business interruption insurance coverage.
Insurers need to find ways to better quantify losses from attacks, develop models to predict future losses and address aggregation risk in case of a major attack resulting in an unexpected large number of claims.
Finding better methods to collect and share data, more accurately modeling risk from future attacks, and developing a standardized system of coverage are pathways to creating a robust and competitive cyberinsurance market that protects consumers, businesses, and the insurance industry.
Darin Bielby and Scott Corzine also contributed to this article. The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.